Add auth support for scorers

[BenWilson2]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/18699/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/18699/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/18699/merge

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Adds a new auth reference to handle permissions associated with scorers via MLflow's auth feature.
For future work (considering that API keys will be associated with scorers) it is critical to ensure there is a mechanism to restrict via RBAC any scorers that may be scheduled to an Experiment.

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

Documentation preview for 647712a is available at:

• https://pr-18699--mlflow-docs-preview.netlify.app/docs/latest/

Changed Pages (1)

• self-hosting/security/basic-http-auth (modified)

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[WeichenXu123]

Q:
are we going to support granting permission to a group of users (e.g. I want to grant permission to all users for a scorer, but I don't want to add SqlScorerPermission item for every user, this way needs updates if new users are created.

[BenWilson2]

RBAC sounds very cool, but our auth system doesn't support it for any existing entities. Do I think we should eventually support it? YES. But I think that should be part of the 'bring auth directly into the tracking server as a core feature' sort of work. I do think we need this. Just not for this PR.

[WeichenXu123]

Question:

Where are the permission validators for these endpoint path ?

These endpoint should only allow request from Administrator users, otherwise every user can grant permission to himself.

[BenWilson2]

Lines 727-730 have the permission endpoints that check validate_can_manage_scorer_permission so only admins and those with can_manage authority can modify.

[TomeHirata]

Suggested change

	<td>`2.0/mlflow/scorers/register`</td>
	<td>`3.0/mlflow/scorers/register`</td>

[TomeHirata]

Suggested change

	<td>`2.0/mlflow/scorers/list`</td>
	<td>`3.0/mlflow/scorers/list`</td>

[TomeHirata]

Suggested change

	<td>`2.0/mlflow/scorers/get`</td>
	<td>`3.0/mlflow/scorers/get`</td>

[TomeHirata]

Suggested change

	<td>`2.0/mlflow/scorers/delete`</td>
	<td>`3.0/mlflow/scorers/delete`</td>

[TomeHirata]

Suggested change

	<td>`2.0/mlflow/scorers/list-versions`</td>
	<td>`3.0/mlflow/scorers/list-versions`</td>

[TomeHirata]

_get_permission_from_scorer_name?

[TomeHirata]

Can we use 3.0 for new permission endpoints?

[BenWilson2]

Thanks for the catch - one day I'll actually remember to be consistent about this for new routes ;)

[TomeHirata]

LGTM!